# Advanced Encryption Standard (AES)

Gianluca Dini
Dept. of Ingegneria dell'Informazione
University of Pisa
gianluca.dini@unipi.it

Version: 2021-03-22

1

#### **AES history**



- 1997: NIST publishes request for proposal
- 1998: Fifteen proposals
- 1999: NIST chooses five finalists
  - Mars, RC6, Rijndel, Serpent, Twofish
- 2000: NIST choses Rijndael as AES
  - Key sizes: 128, 192, 256
    - the longer, the more secure but the slower
  - Block size: 128 bits
- 2003: NSA allows AES in classified documents
  - Level SECRET: all key lengths
  - Level TOP SECRET: k = 256, 512
  - Never happened before for a public algorithm

mar. '22 AES 2



#### Introduction



- AES
  - Has rounds
  - Does not have a Feistel network structure
  - Encrypts an entire block in each round
    - DES encrypts half a block => #round<sub>AES</sub> < #round<sub>DES</sub>
  - Data path is called «state»

mar. '22 AES

#### Round and layers



- Each round but the first has three layers
- Layers
  - Key addition layer
  - Byte substitution layer (S-box) Confusion, Non-linear
  - Diffusion layer Diffusion
    - Two (linear) sublayers:
      - ShiftRows permute data byte-wise
      - MixColumn Mix blocks of four bytes (matrix operation)
  - Galois fields mathematical setting
    - · S-box, MixColumn

r. '22 AES

5

#### Mathematical setting



- Galois field GF(28)
  - Operations in S-box and MixColumn are performed in this field
  - Elements of GF(2<sup>m</sup>) can be represented as a polynomials of degree m – 1 with parameters in GF(2)
    - An A element of GF(28) represents one byte

- A = 
$$a_7x^7 + ... + a_1x + a_0$$
 with  $a_i \in GF(2) = \{0, 1\}$ 

- $A = (a_7, a_6, a_5, a_4, a_3, a_2, a_1, a_0)$
- · We cannot use integer arithmetic
- · We must use polynomial arithmetic

mar. '22 AES 6

#### Mathematical setting



- · Polynomial arithmetic
  - Addition, subtraction
  - Multiplication
    - · Core operation of MixColumn
    - Reduction, irreducible polynomial (rough equivalent of prime number)
      - A(x)  $\times$  B(x)  $\equiv$  C(x) mod P(x), with P(x) irreducible polynomial of degree m
      - AES:  $P(x) = x^8 + x^4 + x^3 + x^1 + 1$

mar. '22 AES

7

### Mathematical setting



- Polynomial arithmetic
  - Division
    - Core operation of Byte Substitution (S-boxes)
    - $A(x)\cdot A(x)^{-1} \equiv 1 \mod P(x)$
    - In small fields (smaller than 2<sup>16</sup> elements), inverse can be precomputed by lookup tables

mar. '22 AES 8









#### **AES Security**



- There is currently no analytical attack against AES known to be more efficient than brute force attack
- For more information about AES security see AES Lounge
  - ECRYPT Network of Excellence (FP6)
  - https://www.iaik.tugraz.at/content/research/krypto/aes/

mar. '22 AES 13

13

#### AES security - best known attacks



- Best key recovery attack
  - Four times better than exhaustive key search
  - 128-bit key => 126-bit key
- "Related key" attack in AES-256
  - Given  $2^{99}$  pt-ct pairs from four related keys in AES-256, we can recover keys in  $2^{99}$  ( $\ll 2^{256}$ )
    - · Very large data-/time-complexity
    - · Randomly generated keys cannot be related

mar. '22 AES 14

#### AES Performance (1/2)



- Software implementation
  - Direct implementation is well-suited for 8-bit processors (e.g., smartcard)
    - Processing 1-byte per instruction
  - For 32-/64-bit architecture, T-box optimization
    - Merge all the round functions into one look-up table (but key addition)
      - 4 tables (1 per byte) of 256 entries;
         each entry is 32 bit
      - 1 round, 16 lookups
  - Few hundreds Mbit/s



15

15

#### AES Implementation (2/2)



- · Hardware implementation
  - AES requires more HW resources than DES
    - · High throughput implementation in ASIC/FPGA
    - Ten Gigabit/s
  - Block cipher is extremely fast compared to
    - · Asymmetric algorithms
    - Compression algorithms
    - · Signal processing algorithms
  - For more information see AES Lounge

mar. '22

AES

16

## Code size/performance tradeoff



|                                                  | Code size | Performance                         |
|--------------------------------------------------|-----------|-------------------------------------|
| Pre-compute round<br>functions<br>(24KB or 4 KB) | Largest   | Fastest<br>(table lookups and xors) |
| Pre-compute S-box only (256 bytes)               | Smaller   | Slower                              |
| No pre-computation                               | Smallest  | Slowest                             |

mar. '22 AES 17

17



#### AES in hardware



- AES instructions in Intel Westmere
  - aesenc, aesenclast: do one round of AES
    - 128-bit registers: xmm1 = state, xmm2 = round key
    - aesenc xmm1, xmm2 puts result in xmm1
  - aeskeygenassist performs key expansion
  - Implement AES in ten instructions
    - 9x aesenc + aesenclast
  - Claim 14x speed-up over OpenSSL on the same hw
- Similar instructions for AMD Bulldozer

ar. '22 AES 19